Ensure that the client respects key expiry in all keyrings but blacklist
Bug #1192717 reported by
Stéphane Graber
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Ubuntu system image |
Fix Released
|
High
|
Barry Warsaw | ||
| system-image (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Subject says it all. If a key in any of the keyrings but the blacklist is expired, it needs to be considered invalid and skipped.
This is likely to happen in 2015 when the image-signing keyring will contain the 2013, 2014 and 2015 signing key and the 2013 will reach its expiry (of 2 years). At this point, any file signed by the 2013 key and not by any of the two others, needs to be considered invalid.
Related branches
| Changed in ubuntu-system-image: | |
| assignee: | nobody → Barry Warsaw (barry) |
| tags: | added: client |
| Changed in ubuntu-system-image: | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| Changed in ubuntu-system-image: | |
| importance: | Medium → High |
Revision history for this message
| Barry Warsaw (barry) wrote | #1 |
| Changed in ubuntu-system-image: | |
| milestone: | none → 2.0 |
| status: | Triaged → In Progress |
| Changed in ubuntu-system-image: | |
| status: | In Progress → Fix Committed |
| Changed in ubuntu-system-image: | |
| status: | Fix Committed → Fix Released |
| Changed in system-image (Ubuntu): | |
| status: | New → Fix Released |
To post a comment you must log in.
When downloading anew, all keyring expiry values are checked.
For cached keyrings, I will add checks similar to LP: #1195057, i.e. specifically on the image-master and image-signing keyrings. We don't need to check blacklist or device-signing since these are always downloaded, and we don't need to check archive-master for the same reasons as described in LP: #1195057